X

Geertjan's Blog

  • July 26, 2005

Secure That Session Bean!

Geertjan Wielenga
Product Manager
Using Ethereal, a sniffer I used in NetBeans IDE, Sniffers, and the Deviant Computer User, I 'sniffed' (i.e., 'preemptively hacked') the application described in the Building Secure Enterprise Beans in NetBeans IDE tutorial. This is the data stream that Ethereal intercepted between the session bean and web application (click to enlarge):

When I decoded the garbled authorization string (as described in step 6 here), the IDE's Output window displayed the username and password that the server requires in order for the web application to access the session bean:

The point is this: HTTP Basic Authentication is useful for illustrative purposes only. To really secure an application, a far more robust security strategy should be adopted -- and that strategy is Secure Socket Layer (SSL). SSL provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. It includes support for a public key certificate, which is the digital equivalent of a passport. It is issued by a trusted organization, which is called a certificate authority (CA), and provides identification for the bearer. For details, read the Understanding Login Authentication section in the J2EE Tutorial.

Join the discussion

Comments ( 3 )
  • john.c Wednesday, July 27, 2005
    Ouch! I go through the trouble of building an Ultra-Secure EJB and Geertjan cracks it in no time! We'll have to settle this like men! On the bowling lanes. :-)
    Yup, the example was a very simplistic one just to show where in the DDs you configure this. I'd better put a warning in so no one tries to secure their EJBs like this.
  • Geertjan Wednesday, July 27, 2005
    If you throw in a few beers, I'll happily destroy you on any bowling lane of your choice.
  • panchal Wednesday, January 18, 2006
    good
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.